Companies are taking the new General Data Protection Regulation (GDPR) much more seriously than HIPAA and PCI: 99 percent are actively involved in the process to become GDPR-compliant, despite the cost and internal reorganization involved, a new survey that polled 300 C-level security executives has shown.
About half (49 percent) are 75 percent of the way through the process, and another 37 percent are halfway there. What’s more, 71 percent of the pollees are confident that they’ll be fully compliant by the May 25 deadline.
What are they doing?
“People are taking GDPR seriously because of how many high-profile data breaches we have all witnessed in the last few years,” said Ferruh Mavituna, CEO of Netsparker.
“In the past, blame for data breaches was shifted around from party to party. Was it the business? The individual? The government? GDPR removes the ambiguity. As of May 25, businesses are responsible for data breaches. As a result, companies will have to restructure how they handle data, and, if they don’t have a sound IT infrastructure, they will have to rebuild from the ground up. It’s heartening to see that so many companies are taking themselves to task.”
In preparation for GDPR, 57 percent of companies are re-engineering internal systems and procedures, 55 percent are recruiting new people specifically to tackle GDPR compliance, and 48 percent are re-engineering internal security teams.
GDPR compliance costs
The cost of GDPR is steep: while 80 percent of those in a micro company (1-9 employees) expect GDPR compliance to cost their business under $50,000, 92 percent of those working at an enterprise (over 1,000 employees) expect GDPR compliance to cost their business over $50,000.
63 percent of the pollees say that they have a dedicated team that is taking care of compliance, while 28 percent hired a third-party firm to help them.
Although 82 percent of companies currently have a data privacy officer (DPO) on staff, 77 percent plan to hire a new, replacement DPO prior to GDPR going into effect.
In general, the more employees a business has, the bigger the compliance team. More than one-third (37 percent) of businesses have had to hire at least six new employees to achieve GDPR compliance, and almost 1 in 5 (19 percent) have had to hire at least 10.
The impact of GDPR
Security executives expect the technology industry will be most affected by GDPR (53 percent), followed by online retailers (45 percent), software companies (44 percent), and financial services (37 percent).
Almost all pollees believe that GDPR should have a positive impact on the security of applications: most of them expect businesses to invest more in web application security and to be more diligent about changing and updating their systems and procedures.